Enabling Syslog for Cisco 9800 Controller and APs

Leave a comment Posted by on March 26, 2024

Below details how to enable Syslogging for both the controller and APs.

In the controller, it seems its CLI only (If not, please comment how to do from GUI). First lets set the Controller to send syslogs. Navigate to Administration and CLI:

– then change the options to run as configuration. Next enter in the info you need. Below is the commad:

logging host <IP Address> transport <TCP/UDP> port <PortNumber>

All is default with my needs, so here is the command I will use : logging host 10.100.64.49

Thats it for the controller- now the APs.

To set the APs you can use the gui – the settings are located in the AP profile, in my example, its still default. Very small deployment. Configuration – Tags and Profiles – then the AP Join profile.

Once you open the needed profile to modify you will have the below settings – You see the Management tab. Once you open that tab, you will see the System log settings. Just set to what you need, apply, and don’t forget to save!

Cisco , , , ,

Fortinet LDAP/RADIUS Source address with SD-WAN setup

Leave a comment Posted by on June 21, 2023

I found this a neat tidbit of knowledge that I thought I should share.

Created a Fortinet SDWAN setup with many sites – works awesome. Fortinet’s SDWAN is simple, but very effective with some really cool features to help with SLAs.

During this setup, I have Radius, and LDAP servers located across one of the members of the SDWAN (An IPSEC tunnel). As before with tunnels, you would modify the source address in CLI for the destination server. This would make sure requests originate from the interface you are expecting, and will go through the tunnel.

After switching the tunnel to be a member of a SDWAN interface the LDAP/RADIUS requests stopped working. I found another command was needed. This command is needed not only for Radius, and LDAP but also for FAZ, Fortiguard, and dns.

In CLI of both Radius and LDAP servers you will see these options:

The trick here is to set the “interface-select-method” to sdwan. This resolved my issue and allowed things to start working. The reason it does this is that Self-originating traffic, such as Syslog, FortiAnalyzer logging, FortiGuard services, remote authentication, and others, relies on routing table lookups to determine the egress interface that is used to initiate the connection. Policy routes generated by SD-WAN rules do not apply to this traffic.

Fortigate , , , , ,

Enable Open wifi authentication in Fortios 7.0+

Leave a comment Posted by on January 26, 2023

I was creating an SSID from within the Fortigate to manged Fortiaps and noticed I could not change the security to “Open”. The only options were security options, and Captive-Portal. I was like, where is Open?

You can enable this through CLI

See below for enabling in CLI

just edit your correct SSID name.

Uncategorized

Microsoft NPS logs not showing in Event Viewer?

Leave a comment Posted by on March 2, 2022

One of the best troubleshooting steps for Radius/NPS is to look in the event viewer to see why you are having failures. This shows if the server is actively denying the user login attempts due to Creds/Certificate/etc.

Sometimes your successes for failures do not show up in Event viewer – this is usually to do with audit logging not including everything. There are a few ways to modify this – but here I will show two easy ones.

The first is to use the NPS settings to make sure these logs are recorded – Even those these might be checked, I have seen the logs not recorded. I do believe the Audit policy overrides these settings. Our first step is to open up NPS, and right click on the NPS server.

Then we can open up properties and make sure all settings are checked.

Our next option is to use the Audit policy CLI commands to set the success or failure to enable (Enable – enables logging).

auditpol /set /subcategory:”Network Policy Server” /success:enable /failure:enable

You can get the current settings by running the following command in Admin CMD.

auditpol /get /subcategory:”Network Policy Server”

Misc , ,

Recover Cisco 9200 switch from firmware loss

Leave a comment Posted by on February 11, 2022

recently I had an issue where the firmware on a 9200 switch was corrupted. This can help during an upgrade, or removal, etc.

After a reboot the switch came up to rom monitor mode, no biggie I thought- just copy the firmware from USB over to flash and install. This did not work, I continued to get error: “Unsupported destination device/filesystem.” see below-

switch: copy usbflash0:cat9k_lite_iosxe.17.03.04b.SPA.bin flash
Unsupported destination device/filesystem.

I then booted from the USB image and installed the system that way. My steps were:

  • Frist check the file on USB and make sure its there/get the name.

switch: dir usbflash0:

Attributes Size Name

D-HS- 0 System Volume Information
—-A 482856473 cat9k_lite_iosxe.17.03.04b.SPA.bin

Then set my switch to boot to this value :

switch: boot usbflash0:cat9k_lite_iosxe.17.03.04b.SPA.bin

This fully loaded up the switch, and came up at a default setup screen. Once there I copied over the file VIA TFTP to flash. The device would not recognize the USB drive now (Probably cause I booted from it). Once copied to flash, I just installed normally, and rebooted.

Switch# install add file flash:/cat9k_lite_iosxe.17.03.04b.SPA.bin activate commit
install_add_activate_commit: START Thu Feb 10 16:59:35 UTC 2022
Feb 10 16:59:36.334: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install one-shot flash:/cat9k_lite_iosxe.17.03.04b.SPA.bin
Feb 10 16:59:36.334 %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install one-shot flash:/cat9k_lite_iosxe.17.03.04b.SPA.bin

*Feb 10 16:59:36.297: %INSTALL-5-INSTALL_START_INFO: Switch 1 R0/0: install_engine: Started install one-shot flash:/cat9k_lite_iosxe.17.03.04b.SPA.bininstall_add_activate_commit: Adding PACKAGE
install_add_activate_commit: Checking whether new add is allowed ….

This operation requires a reload of the system. Do you want to proceed?
Please confirm you have changed boot config to flash:packages.conf [y/n]y

IMPORTANT!!!

Next you have to change the boot config – or else it will go back to rom monitor.

config t

boot system flash:packages.conf

exit

wr mem

That’s it!

Cisco , , , ,

Cisco ASR “private key not found” Error

Leave a comment Posted by on January 13, 2022

I was working on a ASR running code: asr1000rp1-ipbasek9.02.02.01.122-33.XNB1.bin. I wiped the config and started over from the last setup, and tried to SSH in. I was continually getting denied, and check the router – This error showed up.

1w2d: SSH2 0: RSA_sign: private key not found
1w2d: SSH2 0: signature creation failed, status -1

My first thought was to recreate the cert – so I did, still a no go.

I then recreated the cert with a different label or name, and then told the ASR to use this key pair instead – and everything worked. Its like I could not find the default key pair. The commands that I did to fix this are:

crypto key gen rsa general-keys label KEYPAIR-1 modulus 2048

ip ssh rsa keypair-name KEYPAIR-1

Then the ASR gave this back:

Jan 13 07:08:51: %IOSXE-7-PLATFORM: SIP0: sntp: resetting on error 0.273 > 0.1
Jan 13 07:08:52: %SSH-5-DISABLED: SSH 2.0 has been disabled
Jan 13 07:08:52: %SSH-5-ENABLED: SSH 2.0 has been enabled

Cisco , ,

Adding Mobile tokens to Fortiauthenticator

Leave a comment Posted by on November 11, 2021

When purchasing mobile tokens for Fortiauthenticator FGT or a partner will usually send a PDF with an activation code. The PDF has good instructions on how to register the code, but I thought I would show some images.

Open the PDF. On the top it will say something like “FortiToken TM Mobile Redemption Certificate”

It will also have an activation code – for example 34D8-xxxx-xxxx-xxxx-xxxx

Login into your Fortiauthenticator and navigate to

  1. Go to Authentication > User Management > FortiTokens and select Create New.
  1. Select FortiToken Mobile, enter the 20-digit certificate code in the Activation Code box and select OK.
  1. Once the activation code has been validated, FortiTokens will be displayed on the page with Status set to Available

Forti-Products , , ,

Reset HP 5900 back to default

Leave a comment Posted by on November 10, 2021

Below is how to factory reset a HP 5900. This will remove all configuration.


reset saved-configuration main

reset saved-configuration backup
The saved configuration file will be erased. Are you sure? [Y/N]:y
Configuration file in flash: is being cleared.
Please wait …
MainBoard:
Configuration file is cleared.
reboot
Start to check configuration with next startup configuration file, please wait………DONE!
Current configuration may be lost after the reboot, save current configuration? [Y/N]:n
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait…
%Dec 31 19:03:00:203 2010 Switch-Dal-Core DEV/5/SYSTEM_REBOOT: System is rebooting now.

Thats it! the main thing to remember is to reset both the saved-configuration main, and backup slots. Then reboot, and make sure not to save the configuration.

Misc , , , ,

Ruckus ICX switching – Displaying files on USB or flash

Leave a comment Posted by on September 30, 2021

I needed to update the firmware on a Ruckus ICX 7150, but could not remember the file name of the firmware I was updating. I looked through the commands for a dir: flash, or dir:usb and really couldn’t find much. After some googling didn’t come up with anything either.

To display the the files use the “Show files {Device}” for example to show files on flash “show files flash”

ICX7150-24P Switch#show files?
ASCII string dir name


ICX7150-24P Switch#show files flash

Type Size Name

F 33554432 primary
F 32539748 secondary
F 256 primary.sig
F 162204 poe-fw
F 1576 $$ssh8rsahost.key
F 256 secondary.sig

66258472 bytes 6 File(s) in FI root

1135529984 bytes free in FI root

Below show getting the files on the USB drive.

ICX7150-24P Switch#show files disk0
F 60783027 SPR08095dufi.bin
D 4096 [—-] disk0/System Volume Information

60783027 bytes 1 File(s) in disk0

Ruckus , , ,

Setting up Static Addresses for Fortigate SSL VPN clients

Leave a comment Posted by on September 27, 2021

I needed to have a specific SSL VPN client to always have the same IP address. This is not overly simple as it seems it should be. I have read there are very neat ways to do it through FortiAuth, or Radius options – but Here I am just doing all Fortigate configuration.

I am using a local account on the firewall in this example, but it would work with an AD users without issues – you would just have to map the user directly and not use groups.

SO, in this example I have a Scan gun that needs to have a specific IP every time it connects. So an overview of the steps are:

  • Setup SSL VPN (Should be already done if you are trying this).
  • Have LDAP or Radius integration already setup if you are specifically using that.
  • Setup Address object that you need the device to get – For this example 10.200.253.241.
  • Create a user object either local, or LDAP/Radius. – In this example Bargun01.
  • Create a specific portal if needed just for this user.
  • Create group/portal matching in SSL Settings.
  • Create firewall policy allowing that client in.

Ok, first lets create our address object .

Next lets create our user object – We need to do a specific user object, because we only want one device to be logged in and match this policy.

Then lets create the portal specific for this device – which only needs access to one server. In this portal we will match the it to the individual IP object we created, and set the remote access server it needs. Notice that the source IP Pool is the specific IP we set – this is where all the real magic is.

Next lets match up our user to the portal.

One more thing to do – and that’s to setup our firewall policy! Notice that the user matches what we put in the portal. Very specific. That’s it.

Fortigate , ,

Older posts